[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.635765] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   19.704634] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.053749] random: sshd: uninitialized urandom read (32 bytes read)
[   20.914192] random: sshd: uninitialized urandom read (32 bytes read)
[   21.070079] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   26.476435] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   26.567837] ==================================================================
[   26.575297] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   26.581428] Read of size 33883 at addr ffff8801b0f4842d by task syz-executor312/4510
[   26.589282] 
[   26.590903] CPU: 1 PID: 4510 Comm: syz-executor312 Not tainted 4.18.0-rc3+ #137
[   26.598344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.607682] Call Trace:
[   26.610256]  dump_stack+0x1c9/0x2b4
[   26.613867]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.619041]  ? printk+0xa7/0xcf
[   26.622307]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   26.627048]  ? pdu_read+0x90/0xd0
[   26.630485]  print_address_description+0x6c/0x20b
[   26.635310]  ? pdu_read+0x90/0xd0
[   26.638741]  kasan_report.cold.7+0x242/0x2fe
[   26.643135]  check_memory_region+0x13e/0x1b0
[   26.647526]  memcpy+0x23/0x50
[   26.650617]  pdu_read+0x90/0xd0
[   26.653881]  p9pdu_readf+0x579/0x2170
[   26.657665]  ? p9pdu_writef+0xe0/0xe0
[   26.661445]  ? __fget+0x414/0x670
[   26.664882]  ? rcu_is_watching+0x61/0x150
[   26.669020]  ? expand_files.part.8+0x9c0/0x9c0
[   26.673600]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.678622]  ? p9_fd_show_options+0x1c0/0x1c0
[   26.683104]  p9_client_create+0xde0/0x16c9
[   26.687340]  ? p9_client_read+0xc60/0xc60
[   26.691469]  ? find_held_lock+0x36/0x1c0
[   26.695520]  ? __lockdep_init_map+0x105/0x590
[   26.699999]  ? kasan_check_write+0x14/0x20
[   26.704218]  ? __init_rwsem+0x1cc/0x2a0
[   26.708172]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   26.713174]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.718172]  ? __kmalloc_track_caller+0x5f5/0x760
[   26.722995]  ? save_stack+0xa9/0xd0
[   26.726607]  ? save_stack+0x43/0xd0
[   26.730216]  ? kasan_kmalloc+0xc4/0xe0
[   26.734085]  ? kmem_cache_alloc_trace+0x152/0x780
[   26.738912]  ? memcpy+0x45/0x50
[   26.742178]  v9fs_session_init+0x21a/0x1a80
[   26.746493]  ? find_held_lock+0x36/0x1c0
[   26.750546]  ? v9fs_show_options+0x7e0/0x7e0
[   26.754937]  ? kasan_check_read+0x11/0x20
[   26.759073]  ? rcu_is_watching+0x8c/0x150
[   26.763201]  ? rcu_pm_notify+0xc0/0xc0
[   26.767071]  ? v9fs_mount+0x61/0x900
[   26.770779]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.775777]  ? kmem_cache_alloc_trace+0x616/0x780
[   26.780603]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   26.786121]  v9fs_mount+0x7c/0x900
[   26.789645]  mount_fs+0xae/0x328
[   26.792991]  vfs_kern_mount.part.34+0xdc/0x4e0
[   26.797568]  ? may_umount+0xb0/0xb0
[   26.801180]  ? _raw_read_unlock+0x22/0x30
[   26.805307]  ? __get_fs_type+0x97/0xc0
[   26.809177]  do_mount+0x581/0x30e0
[   26.812703]  ? copy_mount_string+0x40/0x40
[   26.816938]  ? copy_mount_options+0x5f/0x380
[   26.821335]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.826331]  ? kmem_cache_alloc_trace+0x616/0x780
[   26.831162]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   26.836682]  ? _copy_from_user+0xdf/0x150
[   26.840810]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.846335]  ? copy_mount_options+0x285/0x380
[   26.850812]  ksys_mount+0x12d/0x140
[   26.854420]  __x64_sys_mount+0xbe/0x150
[   26.858375]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.863372]  do_syscall_64+0x1b9/0x820
[   26.867239]  ? syscall_return_slowpath+0x5e0/0x5e0
[   26.872150]  ? syscall_return_slowpath+0x31d/0x5e0
[   26.877061]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.882576]  ? retint_user+0x18/0x18
[   26.886269]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.891093]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.896261] RIP: 0033:0x4408d9
[   26.899439] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   26.918608] RSP: 002b:00007ffd04d10558 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   26.926295] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   26.933554] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   26.940803] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   26.948053] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401da0
[   26.955299] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   26.962551] 
[   26.964157] Allocated by task 4510:
[   26.967767]  save_stack+0x43/0xd0
[   26.971201]  kasan_kmalloc+0xc4/0xe0
[   26.974895]  __kmalloc+0x14e/0x760
[   26.978412]  p9_fcall_alloc+0x1e/0x90
[   26.982201]  p9_client_prepare_req.part.8+0x754/0xcd0
[   26.987368]  p9_client_rpc+0x1bd/0x1400
[   26.991319]  p9_client_create+0xd09/0x16c9
[   26.995533]  v9fs_session_init+0x21a/0x1a80
[   26.999833]  v9fs_mount+0x7c/0x900
[   27.003349]  mount_fs+0xae/0x328
[   27.006694]  vfs_kern_mount.part.34+0xdc/0x4e0
[   27.011257]  do_mount+0x581/0x30e0
[   27.014782]  ksys_mount+0x12d/0x140
[   27.018386]  __x64_sys_mount+0xbe/0x150
[   27.022341]  do_syscall_64+0x1b9/0x820
[   27.026219]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.031386] 
[   27.032990] Freed by task 0:
[   27.035987] (stack is not available)
[   27.039679] 
[   27.041290] The buggy address belongs to the object at ffff8801b0f48400
[   27.041290]  which belongs to the cache kmalloc-16384 of size 16384
[   27.054270] The buggy address is located 45 bytes inside of
[   27.054270]  16384-byte region [ffff8801b0f48400, ffff8801b0f4c400)
[   27.066205] The buggy address belongs to the page:
[   27.071113] page:ffffea0006c3d200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   27.081061] flags: 0x2fffc0000008100(slab|head)
[   27.085711] raw: 02fffc0000008100 ffffea0006be4a08 ffff8801da801c48 ffff8801da802200
[   27.093572] raw: 0000000000000000 ffff8801b0f48400 0000000100000001 0000000000000000
[   27.101429] page dumped because: kasan: bad access detected
[   27.107111] 
[   27.108715] Memory state around the buggy address:
[   27.113622]  ffff8801b0f4a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.120961]  ffff8801b0f4a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.128300] >ffff8801b0f4a400: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   27.135644]                                ^
[   27.140037]  ffff8801b0f4a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.147388]  ffff8801b0f4a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.154722] ==================================================================
[   27.162057] Disabling lock debugging due to kernel taint
[   27.167576] Kernel panic - not syncing: panic_on_warn set ...
[   27.167576] 
[   27.174943] CPU: 1 PID: 4510 Comm: syz-executor312 Tainted: G    B             4.18.0-rc3+ #137
[   27.183770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.193107] Call Trace:
[   27.195678]  dump_stack+0x1c9/0x2b4
[   27.199287]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.204454]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.209187]  panic+0x238/0x4e7
[   27.212358]  ? add_taint.cold.5+0x16/0x16
[   27.216493]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.220894]  ? pdu_read+0x90/0xd0
[   27.224331]  kasan_end_report+0x47/0x4f
[   27.228280]  kasan_report.cold.7+0x76/0x2fe
[   27.232581]  check_memory_region+0x13e/0x1b0
[   27.236965]  memcpy+0x23/0x50
[   27.240050]  pdu_read+0x90/0xd0
[   27.243308]  p9pdu_readf+0x579/0x2170
[   27.247093]  ? p9pdu_writef+0xe0/0xe0
[   27.250893]  ? __fget+0x414/0x670
[   27.254326]  ? rcu_is_watching+0x61/0x150
[   27.258453]  ? expand_files.part.8+0x9c0/0x9c0
[   27.263024]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.268036]  ? p9_fd_show_options+0x1c0/0x1c0
[   27.272520]  p9_client_create+0xde0/0x16c9
[   27.276736]  ? p9_client_read+0xc60/0xc60
[   27.280863]  ? find_held_lock+0x36/0x1c0
[   27.284905]  ? __lockdep_init_map+0x105/0x590
[   27.289382]  ? kasan_check_write+0x14/0x20
[   27.293594]  ? __init_rwsem+0x1cc/0x2a0
[   27.297549]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   27.302545]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.307541]  ? __kmalloc_track_caller+0x5f5/0x760
[   27.312370]  ? save_stack+0xa9/0xd0
[   27.315974]  ? save_stack+0x43/0xd0
[   27.319580]  ? kasan_kmalloc+0xc4/0xe0
[   27.323443]  ? kmem_cache_alloc_trace+0x152/0x780
[   27.328264]  ? memcpy+0x45/0x50
[   27.331525]  v9fs_session_init+0x21a/0x1a80
[   27.335826]  ? find_held_lock+0x36/0x1c0
[   27.339881]  ? v9fs_show_options+0x7e0/0x7e0
[   27.344272]  ? kasan_check_read+0x11/0x20
[   27.348397]  ? rcu_is_watching+0x8c/0x150
[   27.352521]  ? rcu_pm_notify+0xc0/0xc0
[   27.356388]  ? v9fs_mount+0x61/0x900
[   27.360078]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.365073]  ? kmem_cache_alloc_trace+0x616/0x780
[   27.369894]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   27.375415]  v9fs_mount+0x7c/0x900
[   27.378939]  mount_fs+0xae/0x328
[   27.382283]  vfs_kern_mount.part.34+0xdc/0x4e0
[   27.386842]  ? may_umount+0xb0/0xb0
[   27.390461]  ? _raw_read_unlock+0x22/0x30
[   27.394595]  ? __get_fs_type+0x97/0xc0
[   27.398462]  do_mount+0x581/0x30e0
[   27.401991]  ? copy_mount_string+0x40/0x40
[   27.406210]  ? copy_mount_options+0x5f/0x380
[   27.410599]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.415593]  ? kmem_cache_alloc_trace+0x616/0x780
[   27.420415]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.425933]  ? _copy_from_user+0xdf/0x150
[   27.430058]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.435572]  ? copy_mount_options+0x285/0x380
[   27.440050]  ksys_mount+0x12d/0x140
[   27.443653]  __x64_sys_mount+0xbe/0x150
[   27.447613]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.452608]  do_syscall_64+0x1b9/0x820
[   27.456471]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.461378]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.466284]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.471798]  ? retint_user+0x18/0x18
[   27.475497]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.480321]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.485489] RIP: 0033:0x4408d9
[   27.488651] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.507767] RSP: 002b:00007ffd04d10558 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   27.515451] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   27.522695] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   27.529942] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   27.537186] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401da0
[   27.544433] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   27.552163] Dumping ftrace buffer:
[   27.555682]    (ftrace buffer empty)
[   27.559365] Kernel Offset: disabled
[   27.562966] Rebooting in 86400 seconds..